Information Technology Reference
In-Depth Information
IM services could prove useful for business communications,
most businesses are concerned about security rather than
interested in innovative communication.
Consider the Apple iPhone. Some businesses that have
supported RIM's Blackberry smartphone are feeling pressure
from their employees to support the iPhone as well. Systems
security experts are hesitant to comply due to concerns over
information privacy. For example, the iPhone 3G does not
include data encryption native to the device. If the phone is
lost or stolen, private corporate information is vulnerable.
Systems analysts are stuck trying to serve both a demanding
workforce and corporate security needs.
CTO Gary Hodge at U.S. Bank is concerned about Web 2.0
applications. “We always said outside the corporation was
untrusted and inside the corporation was trusted territory.
Web 2.0 has changed all that. We've had to expose the internal
workings of the corporation. There's a whole rash of new
devices coming out to enable people to compute when they
want to, with the iPhones and smartphones.” Hodge worries
that smartphone manufacturers haven't paid enough atten-
tion to security. CTOs and CIOs are feeling as though they are
losing control of their systems and data.
Dmitri Alperovitch, principal research scientist for Secure
Computing, is also concerned about security and Web 2.0. The
concern stems from the browser becoming a computing
platform itself. Although businesses have learned to protect
traditional operating systems, they have little power when the
browser is acting like an operating system. Web 2.0 sites and
social networking sites allow anyone to create applications
and post files and content. This increases the risks of trans-
mitting malware and revealing corporate secrets. Gary
Dobbins, director of information security at the University of
Notre Dame, has simple and effective advice for information
security: “Never trust the browser.”
In banking, minor lapses in security can have devastating
results. Bank CIOs see Web 2.0 as expanding their security
perimeter. Web 2.0 gives them a much larger area to watch.
Because of this, many banks are taking a hard line. For exam-
ple, U.S. Bank only allows employees to access business-
related content on their PCs. The bank restricts the use of any
type of portable storage including USB drives and CDs. Every
electronic transmission that leaves the bank is monitored.
For Gary Hodge, investing in information security at U.S.
Bank isn't a matter of ROI, but rather a survival necessity. “We
protect money. It's new for us to have to protect vast amounts
of information,” Hodge said. “We spend millions of dollars on
security but it doesn't generate any new revenue. I haven't
been able to show anybody a return on investment. It comes
down to can we secure the organization at the right risk and
the right cost. You can't spend all the money. You have to
figure out what level of risk you're willing to tolerate.”
Critical Thinking Questions
1.
Do you think that over time consumer devices may
become as secure as banking systems? Why or why not?
2.
Do you think the “hard line” taken by U.S. Bank in regards
to information security policies is justified? Why or why
not? Would you be willing to work in that environment?
Sources:
Stokes, Jon, “Analysis: IT consumerization and the future of work,”
Ars Technica, July 6, 2008,
http://arstechnica.com/news.ars/post/20080706-
analysis-it-consumerization-and-the-future-of-work.html;
Skinner, Carrie-
Ann, “U.K businesses ban IM over security concerns,” Computerworld, July 15,
viewArticleBasic&articleId=9110159;
Brodkin, Jon, “U.S. Bank suffers Web 2.0
security headaches,” Network World, April 30, 2008,
www.networkworld.com/
news/2008/043008-interop-bank-web-2-security.html;
Hamblen, Matt,
“iPhone 3G, business must wait,” Macworld UK, June 16, 2008,
Case Two
Sometimes in protecting a network, the ones to watch are
within the organization. That's the lesson learned by the City
of San Francisco. The city's network administrator for its
multimillion dollar wide area network (WAN) seized control of
the network and denied other system administrators access
for ten days while jailed.
The network administrator, who had been experiencing
conflicts with his supervisor, created a super password that
effectively locked out all administrators but himself to the
network's switches and routers. When he refused to reveal
the password, he was arrested and held on a $5 million bond.
The network that he held captive connects various city offices
around San Francisco and supports 60 percent of the munic-
ipal government's information traffic. During the system
administrator's incarceration, the city network continued
functioning without incident.
The system administrator's lawyer argued the defendant
felt that none of the people who requested the password were
qualified to have it. The defendant claimed his supervisor was
undermining his work. The defendant wanted to uncover the
problems in the city's Department of Telecommunication
Information Services (DTIS). His intent was to “expose the
utter mismanagement, negligence, and corruption at DTIS,
which if left unchecked, will in fact place the City of San
Francisco in danger,” his motion read. It is assumed that
drastic budget cuts that resulted in losing 200 of 350 employ-
ees at DTIS were behind the stress that ultimately drove the
administrator to extreme measures.
The network administrator finally revealed the super
password to the network when after ten days in prison, San
Francisco mayor Gavin Newsom visited him. The two had a
lengthy private discussion that concluded with the mayor
receiving the password, saving the city the hundreds of thou-
sands of dollars it would have cost to sequentially reset
hundreds of switches and routers around the city.
This case points to several important lessons for busi-
nesses to observe regarding system administration. Rick
Discussion Questions
1.
What are the differences in information security needs for
a bank versus a retail store?
2.
Why are IT consumerization and Web 2.0 challenging
business information security?